umce ae la rropneie 
— thtellectuelle 
du Canada 

Un organisme 
d'lndustrie Canada 



uanaaian 

Intellectual Property 
Office 



agency of 
Industry Canada 



^ (21) 2 425 184 

(i2)DEMANdVE BREVET CANADIEN 
CANADIAN PATENT APPLICATION 

(13) A1 



(86) Date de d§pdt PCT/PCT Filing Date: 2000/10/05 

(87) Date publication PCT/PCT Publication Date: 2003/04/07 

(85) Entr6e phase nationale/National Entry: 2003/04/07 

(86) N** demande PCT/PCT Application No.: DE 2000/003507 

(87) publication PCT/PCT Publication No.: 2001/025880 

(30) Priont^s/Prlorities: 1999/10/07 (199 48 319.1) DE; 
2000/04/27 (100 20 563.1) DE 



(5l)Cl.lnt^/lntCI.7 G07B 17/00 

(71) Demandeur/Applicant 
DEUTSCHE POST AG. DE 

(72) Inventeurs/lnventors: 
LANG. JURGEN, DE; 
MEYER. BERND, DE 

(74) Agent: OGILVY RENAULT 



(54) Titre : PROCEDE DE PRODUCTION ET DE CONTROLE DE DOCUMENTS INFALSIFIABLES 
(54) Title: METHOD FOR PRODUCING AND CHECKING FORGE-PROOF DOCUMENTS 



Authentication unit 



3 



decryptsd rmjom 
numbar 




enorypfeed nsndom 
number and 



Document producer 




securf^nriodul^ 



I encrypted random 
mimbiM-and 
loenuncasQn 
number 



5 data input 



security module 
haahvrfua | 

doGunnertt production 



Checking unit 



documeni 




(57) Abr^g§/At>stract 

The invention relates to a method for producing forge-proof documents using a security module which generates a temporary 
secret which is unknown to the document producer. The temporary secret, in conjunction with information revealed about the 
identity of the security module, is transferred in encrypted form to an authentication unit Said authentication unit recognizes the 
identity of the security module and decodes the temporary secret together with other information which is encoded in such a way 
that only one checking station can implement decoding. The authentication unit transfers data to the document producer who 
transfers producer data, which is integrated into the document, to the security module. The security module irreversik>ly links the 
data inputted by the document producer to the temporary secret in such a way that only repeated linking of the same data in the 
same manner yields an identical result It is not possible to draw conclusions about the temporary secret The result of said 
irreversible linkage of data to the temporary secret is integrated Into the document 
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(57) Abstract: The invention relates to a method for producing forge-pt>of documents using a security module which generates a 
temporary secret which is unknown to the document producer. The temporaiy secret, in conjunction with infoimation revealed about 
the idaitity of tfie security module, is transferred in encrypted form to an authentication unit Said authentication unit recognizes 
the identity of the security module and decodes the temporary secret together with other infarmation which is encoded in such a 
way that only one checking station can implement decoding. The authentication unit transfers data to the document producer who 
transfers producer data, which is integrated into the document, to the security module. The security module irreversibly links the 
data inputted by the document producer to the temporary secret in such a way Aat only repeated linking of the same data in the same 
manner yields an identical result It is not possible to draw conclusions about the temporary secret The result of said i r re v ersible 
linkage of data to the temporary secret is integrated into the document 
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Verdffentlidit: 

mit intemationalem Recherchenbericht 




(88) VerOffentiichangsdatain des interaationaleo 

Recherchenberichts: 15. August 2002 

Zur ErktOrung der Zweibuchstaben<^odes und der anderen 
AbkOrzungen wird attf die ErkUirungen ("Guidance Notes on 
Codes and Abbreviations") am Artfang Jeder reguldren Ausgabe 
der PCT-^jozette verwiesen. 



(57) Zusammeniassung: Verfahren zur Erstellung fSlschungssichexer Dokamente unter Einsatz eines Sicherungsmoduls, das dn 
tmporSres, einezn Dokumenthersteller onbekanntes, Geheimnis erzeugt das zusammen mit der Identitfit des Sicherungsmodnls ver- 
schlttsselt an eine Beschdnigongsstelle tibeigeben wird, die das tempore Geheimnis entschlQsselt Die Bescheinigungsstelle er- 
kennt die Identitat des Sicherungsmoduls und veischJtisselt das tempor^re Geheimnis zusammen mit weiteren Infonnationen deiait, 
dass nureine Pitifstelle sie entschlUssehi kann. Die Bescheinigungsstelle Ubermittelt die Infonnationen an den Dokumenthersteller, 
der eigene Daten, die in das Dokument eingebracht werden, dem Sicherungsmodul tibeigibt. Das Sicherungsmodul verknOpft die 
selbst vom Dokumenthersteller eingebrachten Daten mit dem temporaren Geheimnis irreversibel, so dass ausschlieBlich bei wie- 
deiholter Veikniipfung derselben Daten in derselben Weise ein identisches Eigebnis entstehen kann. Das Kgebnis der ixreversiblen 
Veikniipfung der Daten mit dem temporary Geheimnis wird in das Dokument Qbemonmien. 
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Descrlptipn 



Method for prodadng and checking forgeiy-proof docaments 



The invention relates to a method for producing forgery-proof documents using a secu- 
rity module, whereby the security module generates a temporary secret which remains 
unknown to a document producer, whereby the tenq>orary secret, together with infor- 
mation that reveals details about the identity of the security module, is transferred in 
encrypted fimn to an authenttcadon unit, whereby an aadientication unit decrypts the 
temporary seoret, recognizes the identity of the security module and encrypts the tempo- 
rary secret, togelher with additianal information, in such a way that only a checking unit 
can cany out a decryption and then the audienticalion unit transmits the encrypted tem* 
porary secret and ttie additional inforaiation to the document producer, wheid>y die 
document producer transfers its own data, which has been introduced into the document, 
to the security module whereby the security module irreversibly links the ten^iorary 
secret wifli die data that the document producer itself has introduced, in such a way tiiat 
only when the same data is Imked again in the same manner can an identical result be 
obtained, and wherdiy it is not possible to draw condusions about the temporary secret 

The invention also relates to a mediod for checkhig the audienticity of a given docu- 
ment 

This method and this system, which pertain to the operating principle of a security 
module in the nsalm of the digital signature and of the use of encryption techniques, 
involve three entities in addition to the security module: 

• the producer/processor of a document, hereinafler referred to as "document pro- 
ducer^'. 



an authentication unit that can identify the security module and link it to the identity 
of the document producer and 



muuiiSESsaa -a- PCT/OE0W03607 



• a checking unit where the integrity of the document and the identity of the document 
producer are checked. 

Systems for digital signature such as, for example, the public key signature meduxl 
according to patent specifications DB 195 13 896 Al or DE 197 03 929 A1, arc known 
for ensuring that documents are forgery-proof and for identifymg docummt produces. 

A digital signature is a seal that relates to digital data and that is generated with a pri- 
vate signature key, whereby said seal - by means of an appertaining public key that is 
provided with a signature key certificate - makes it possible to verier the owner of the 
signature key and the integrity of the data (see Article 2, Clmac 1 of SigG- German 
Signature Law). According to the terminology employed here, a checking unit is capa- 
ble of checkfaig the digital signature of a document ptoducCT and thus its identity as well 
as ^ integrity of the data contained in the document, if it knows the public signature 
kqr of the docum^ producer tibat ia provided witib a signature certificate. 

Using the meifaod of the digital signature is problematic when either the checking unit 
does not know the pubUo signature key of the document producer that is provided with a 
signature key certificate of a oeitification unit or else when the document producer does 
not have its own private or public signature key. 

The mvention is based on the objective of creating a method for producing snd/or 
checking forgery-proof documents that can also be used when the checking unit does 
not know the pubUc signature key of the document producer and/or when tiic document 
producer does not have its own private or public signature key. 

According to the invention, this objective is achieved in that the result of the uroversible 
linkuig of the tempoiaxy secret with tfie data mttoduced by the document producer is 
incorporated into the document. 

Another subject matter of the mvention is to carry out a method of the type described 
above in order to chddc the authenticity of documents in such a way that the checking 
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unit checks whether the result of an izreversible linking of a secret wi^ data intxxxluced 
by a document producer have been incorporated into the document, in that the checking 
unit decrypts ibe secret and additional inibmiation thai were encrypted by an auOienti- 
cation imit. 

Here, it is especially advantageous for the checking unit to irreversibly Unk the 
decrypted temporary secret with the data introduced into the document by the document 
producer, in the same manner as a security module used to produce the forg«y-proof 
document 

In order to increase data security when producing docnunents, it is advantageous to per- 
form the method for producing the documents in such a way that the additional infor- 
mation transferred by the authentication unit, toge&er with the temporary secret, is 
transmitted in eticrypted form to the document producer. 



Here, it is especially advantageous for the additional information transferred by the 
authentication unit, which is transmitted to the document producer, together with the 
temporary secret, to be transmitted in such a way that only a checking wit can cany om 
adecryption. 

Advantageously, flie method is performed in such a way tihat the aH^jt^r^nal information 
transfoned by the authentication unit contains details on the identity of the document 
producer and on the validity of the documents generated by the document produce. 

In order to check whether the documents were generated by means of the method 
described above by the document producer who is authorized to do so, it is advanta^ 
gcous to carry out the method to check tire authmUcity of the document in such a way 
that the checking unit compares the result of the ineveraible linking that it has per- 
formed itself with the result of an irreversible linking that was performed by the docu- 
mmt producer and incorporated into the document 



Hctc, it is advantageous that tho comparison determines wfaeth^ data introduced into 
the document by the documcmt producer has been forged. 
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Although the stq)s of producing and checking axe earned out sq^arately fiom each 
other, it is especially advantageous to combine them into a total process in which the 
documenCfi are generated as as checked according to predefined criteria. 

In this context, it is advantageous that there is no direct communication anH no shared 
data storage and data processing between flie authentication unit and the checking unit 

Additional advantages, special features and practical refinements of the invention can be 
gleaned from the subordizuOe claims and from die following presentation of a preferred 
embodiment with reference to the drawings. 

The drawings show the following: 

Figure 1 - asecuritymodulettiat canbeusedinthemetihod and 

Figure 2 - a schematic representation of a system for generating and checking foiBcry- 
proof documents. 



With the method and system described here, a checking unit to which both the docu- 
mcnt producer and the document it has produced are not known has the possibility to 
reliably check die integrity of the data contained in the document as well as the identity 
of the document producer, even without the use of a digital signature. 

For this purpose, the document producer uses a security module that is realized by using 
various technical means, preferably involving the interaction of software with pro- 
grammable hardware, and comprismg five active units and three passive units as woU as 
two data output ports and one data irtput port (see Figure 1). 

The active units are: 



a secret generator that generates an unpredictable temporary secret (random num- 
ber). 
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• an encryption machin e that uses a known method to encrypt an input value with a 
key stored in a register, 

• a hash machine that, on the basis of an input value, uses a known method to fomi a 
hash value of this input value (see Article 17, Clause 2 of SigV - Gcnnan Signature 
R^ulations) and 

• two combination machines, each of which combines a result vahie on the basis of 
two input values. 

The passive units are: 

• a key register in whidh a key is stored, with which the eaiciyptions can be generated 
which can only by decrypted by the con&mation unit, 

• an identification register containing data witb which the security module can 
unambiguously identtiy itself at an confiimation unit and 

• «mjnh»mediate memory unit in which the secret generated in the secret gene^ 
temporarily stored. 

The data input ports and the data ou^ut ports ai« the only direction-specific input and 
ou^ut possibiUties for the security module. Neither the document producer nor thiid 
parties can gain any other type of entry or access to the security module. Specifically, 
the data input ports and data output ports are die following: 

• a data output port 1 via whi<* the data is output that is transfenred to the authentica- 
tion unit, 

• a data output port 2 via which the data is output ihat is incorporated into the docu- 
xnenl and 



WO01/i268M 



6 



PCT/DE0Q/0S807 



• a data it^nit port via 'wldcb die inlRttmation can be ii^ 
the documoit producer. 

Preferably, the security module described below is used in the method to praduce fyr- 
geiy-proof documents. 

In the security module, a secret generator creates an unpredictable secret (tar example, a 
random number) that remains unknown outside of the security module and it transfen 
this secret to the combination machine 1 on the one hand and to the intennediate mem- 
ory unit on the other hand. The combination machine 1 combines the secret with ifae 
data contained in the identification register that unambiguously identifies the security 
module at a conflmiation unit The result value of die combination machine is input into 
the encryption machine which uses die key from die key register to generate an 
encrypted result value diat can only be decrypted by die audientication unit This result 
vahie is output fiom die security module via die data output port 1 in order to be trans- 
ferred to the audientication unit 

When die audientication unit decrypts the result value diat has beoi output and trans- 
ferrod fiom die data output port 1, said audientication unit breaks down diis result value 
into die secret and into die data fiom die identification register, dien identifies die secu- 
rity module on die baaia of d« data fiom die identification register and encrypts die 
secret and additional infbmiation widi a key tiiat can only be decrypted by die checking 
unit, dien die encrypted secret and additional information can be transferred to die 
document producer, who dien incoiporstes diem into die document and diey can subse- 
qiiendy be deoypted by die cheddng unit 

Data diat die document producer ilselT introduces via die data input port into die secu- 
rity module is combined by die combimttion machine 2 widi d« secret diat is stored in 
die mtermediate memory unit The resutt value of die combination machine 2 is input 

mto die hash machine diat uses a known mediod to fom a hash vahie Of die input value 
This result value is omput fiom die security module via die data output port 2 in order to 
be inccnporated into die document 
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Preferably, the following is ii)coii>orated into the document: 

• the data that the document producer itself has introduced into tfic security module 
via ^e data uiput port, 

• the hash value that has been output by flie security module via the data ou4>ut port 2 
and 

• the secret and &e additional mformatton encrypted by the authentication unit that 
can cndy be decrypted by the checking unit 

A checking unit cheeks the integrity of the document and the identity of the document 
producer in that the secret and the additional infonnalioa encrypted by the authentica- 
tion unit are decrypted by means of a known method and in that a hash value is formed 
in the security module on the basis of a combination of the secret and the data intro- 
duced by the document producer itself and this hadi vahie is compared to the transmit- 
ted hash value. If the comparison of the hash values - analogously to «ie checking of a 
digital signature - yields the identity of the generated and transmitted hash values, (hen 
tfie document cannot have been fbrgcd. 

The authentication unit transmits additional information to the document producer 
encrypted in such a way that only the checking unit cm decrypt it. whereby s»d infiw- 
mation is transferred to the document producer to be incoipowted into the forgery^iroof 
document for purposes of mfonnation on the identity of flie document producer and on 
the period of validity of the documents generated by the document producer. 

A preferred area of application of the invenUon is that document producers are^ for 
example, persons who use a compute (PQ to themsehrcs print out entrance tickets 
plane tickets or vouchers whose integrity can be verified by a checkmg unit that, for 
mstance. control access to places associated with these documents. The authentication 
«mt is. for example, the ticket office that issues the entrance Uckets with which the 
documew producer communicates elecHonicaUy via the Internet prior to the printing out 
of the entrance tickets. Ihe security module is a technical means that is preferably real- 



ized by means of the interactioa of software with prograniTnable hardwaie and tiiat is at 
least tempoxarUy a component of the haidwaxe and software of the PC of the documeal 
producer. 

The invention can ensure fliat, for example, even without checking ttie digital signature 
of Ihe document producer with all of the consequences ^s entails (individual public 
signature key of all document producers to be checked), the checking unit that controls 
fte entrance can verify the integrity of a document that was issued within the sphere of 
influence of an unreliable document producer via its PC and printer. The security mod- 
ule ensures tiie integrity of Infixmation that was inserted into the document by the 
document producer wifliout the knowledge of the aathenticatioa unit as well as the 
identifiability of die document producor. 

Advantageous effects of this invention can be seen in the ftet that companies and 
organizations -by using security modides - can ofifer thdr clients the means to eaaUy 
print out documents via the bttemet whose integrity can be checked i«tiably. It is espe- 
cially advantageous heie ibat «be document producer can dispense with the use of digital 
signatures, which is associated with a consideiBble inftastxuctuz«l and oiBBnv^attonal 
complexity as w<dl as country^speciiic legal unoertainty. Moreover, with die mettiod 
and system described, it is advantageous that Oe scope of die infbrmati<m within the 
document that serves for the chocking unit to check the documem is veiy sm^ 
parison to a digital signature, where the pubUc signature key of the document, producer 
provided with a signature key certificate of a ecttification unit, can constitute a compo- 
nent of the document. It is also advantageous that, in order to check the integrity, there 
does not have to be any diiect communication or shai^d data storage and processing 
between the authentication unit and the checking unit Finally, it is advantageous that 
the communication between the security module and the authentication unit on the one 
hand, and between the document production and document checking on the other hand 
can be fimdamentally uncoupled fiom each other in such a way that several documents 
can be produced on the basis of one communicarion between the security module and 
the authentication unit, mto which documents different document-q>ecific data can be 
ii^ut by the document producer. 
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An advantageous method for producing and checking forgory-proof doeumeats will be 
descnbed bolow witfx refierence to Figure 2. 

Figure 2 shows a system in which infonnatioii generated by a docrunent producer is 
transferred to an authentication unit, where it is processed and once again transferred to 
flic document pixxlucer. The document producer uses the infonnation transmitted by die 
autiientication unit to produce fOTgery-proof documents. A procedure preferably sepa. 
rated from the document production is the checking of the foigery-proof documents in a 
checking unit 

The system presented contains the process steps 1 to 8 described below. 

In a first process step 1» a temporary secret is generated in the form of a random number 
that is encrypted together with an identification number of the security module with the 
public key of the authentication unit so that the document producer cannot gain access 
to this temponuy secret and it can only be decrypted by the authenticBticn unit. 

The process step designated with the reienmce numeral 2 comprises the transfer of the 
encrypted random number and the identification number to the auihentioation unit. It 
should be pointed out that this transft»- can also go via an unsecured imite since only the 
auflientication unit is capable of decrypting the information. 

In a subsequent process step 3. the auflientication unit decrypts the random number and 
the identification number with the private key of the authentication unit Hie random 
number is encrypted with additional information on die identity of the document pro- 
ducer and on the period of validity of the documents produced by the document pro- 
ducer in such a way that only the checking uni I can decrypt the random number and the 
additional infinmation. 

In the process step designated with the reference numeral 4, the encrypted infi»mation 
is transferred to the document producer. It ^ould be pointed out that this transfer can 
also go via an unsecured route since only the checking unit is capable of decrypting the 
information. 
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For this reason, tiie method is especially well-suited far use in data netwoiks th»t can 
hardly or not at all be secured against unauthorized access such as, fbr exanq>lc, the 
Intonet 

In the process step designated with the reference numeial S, the document ptodacei 
enters its own data into the security module, wherry said data saves to identiQr die 
document. 

In Ac process step designated with the reference numeral 6, a hash value is formed fit»n 
«ie combination of the data uiput by flic document producer and the stili-stored random 
number. Hie subsequently pnsduced documoit contains the data that Uie document pro- 
ducer itself introduces into the document, the just-fonned hash value as well as the 
encrypted information of die authentication unit 

A fhtdier process step 7 involves the transfer of the document consisting of the data of 
the user, the hash value and the encrypted information of the authentication unit (see 
item 3). 

In a checking unit, a process step designated with the leferaoce numeral 8 entails a 
decryption of the infoimation of the authentication unit using die key of the checking 
unit. According to Claim 1, the decrypted random number can be used, togetiier widi 
die data that die document producer itself has introduced into die document, to fbnn a 
hash value and diis is done by means of die same, genecaUy known mediod diat was 
used in die security module to form die bash value. A conq>aiison of die Ibimed hash 
value widi die transfeired hash value provides reliable infoimation as to whedier die 
data introduced by die document producer itself was fiHged. According to Chum 2, 
additional information on die identity of die document producer and on die period of 
validity of die documents generated by the document producer can be decrypted hero. 

Through die meUiod and die system for producing forgery-proof documents using a 
security module, a checking unit to which bodi die document producer and die docu- 
ment it has produced are not known has die possibiUty to reliably check die integrity of 



-11 - 



purioeframuiir 



the data coataincd in the document as well as the idoitity of the document producer, 
even without the use of a digital signature. All of tiie checking infotmation needed for 
this purpose, which has to be incotporated into the document^ is made available to an 
authentication unit with which the security module used for the production of the docu- 
ment communicates prior to producing/i)rocessing the document. The method and iho 
system arc especially well-suited to give people the possibility to use their own PCs to 
print out, £or example, entrance tickets or vouchers that can be ;[eUably checked for their 
integrity. 
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1 . A inefhod for producing forgery-proof documents using a security module, 

• wherry the security module generates a temporary secret wfaidi remains 
unknown to a document producer, 

• whereby the temporaiy secret, together with information ftat reveals details 
about die identity of the security module, is transferred in encrypted form to 
an authentication unit, 

• wfaerrt>y an authenticalion unit decrypts the temporary secret, recognizes the 
identity of tfafs security module and encrypts the temporary secret, together 
with additional infonnation, in such a way tliat only a checking imit can carry 
out a decryption and iSxea the authentication unit transmits the temporary 
secret and the additional information to the document producer, 

• wfa^eby the document producer transfers its own data, which has been intro- 
duced into the document, to the security module^ 

• wh6rd>y the security module iireversibly links ttie temporary secret with the 
data that the document pfpducer itself has introduced in such a way diat only 
when the same data is linked again in the same manner can an identical result 
be obtained, and 

• whereby it is not possible to draw candusions about the temporary secret, 
characterized In that the result of the mrevmible linking of the temporary secret 
with the data introduced by the document producer is incorporated into the docu- 
ment 



The method according to Claim 1, characterized in that the additional infiuma- 
tion transferred by the authentication unit, together with the tenqx)rary secret, is 
transmitted in encrypted form to the document producer. 

Hio method according to Claim 2, characterized hi that the additional infiwma- 
tion transferred by tiie authentication unit, which is transmitted to the document 
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producer, together with the temporary secret, is transmitted in such a wBy that 
only a cheekizig unit can carry out a decryption. 



The method accoidmg to one or more of the preceding claims, characterized in 
that the additional information transferred by the audiesitication unit contains 
details on the identity of the document producer and on the validity of the docu- 
ments generated by the document producer. 



The mefliod fiur checking the authenticity of a docimusnt. ehaneterized hi that 
the checkmg unit checks wheOier the result of an irreversible linkui^ of a semt 
with data introduced by a document producer have been incorporated into the 
document* in that the checking unit decrypts the secret and additional information 
that wore encrypted by an authentication unit, and in fliat die checking unit irte- 
vmibly links the decrypted temporary secret with die data intioduced into die 
document by die document producer, in die same manner as a security module 
used to produce the fbrgery-pxoof document. 



The method according to Claim 5, charecterized In that die checkirig unit com- 
pares die result of die hreversible linking diat it has performed itself widi die 
result of an irreversible linking diat was performed by die document producer and 
incorporated into the document 



7. The mediod according to Claim 6, characterized hi that die comparison deter- 
mines whettier data introduced into the document by die document producer has 
been forged. 



8. A mediod for prodncmg and later checking forgery-proof documents, character* 
toed hi that die documents are produced by a mediod according to one or more of 
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Claims 1 to 4, and in that the documents are subseqiieatly chocked by means of a 
method accoxding to one or more of Claims 5 to 7. 



9. The metfiod according to Claim 8. characterized in that dicre is no direct 
comraimication and no shared data storage and data processiiig between the 
audicntication unit and the checking unit 



m 
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Method and system for prodactng 
forgery-proof docnmentB 




